Skip to main content

tv   Discussion on Digital Security  CSPAN  December 15, 2015 10:27pm-12:16am EST

10:27 pm
of this administration, all the historians have consistently rated reagan low. i believe out of ideological bias. >> sunday night on "q&a," historian craig shirley discusses his book "last act," a look at ronald reagan's life after leaving the white house and the way he's been remembered since his death. >> i like to write about reagan because i grew up in the '80s. i developed in the '80s. the it was house in time for us but i write about the facts, i don't make things up and i don't believe that ed meese or how will -- lou cannon makes things up. we've succeeded in repositioning people's thinking about ronald reagan so that it was -- the picture that emerges of a very serious, deep thinking considerate solicitous man. >> sunday night at 8:00 eastern on q and a ch.
10:28 pm
>> trade technology and cyber security experts talk about and demonstrate best practices for personal security and safety on the internet. hosted by the national cyber security alliance, this is an hour and a half. good morning everyone. that was a little weak. let's try this again. good morning. >> good morning. >> much, much better. my name is michael keiser, executive director of the cyber security alliance and it's my job to welcome you to talk about two factor authentication and a bunch of other issues related to cyber security. we'll talk about it more later in the morning, we are a public/private partnership we live that model of working with industry and government. so we have our partners from dhs who have been working with us on education and awareness.
10:29 pm
you may know us for cyber security awareness month or privacy day or the stop think connect campaign which will be discussed later on as well. these are efforts where government and industry and our other partners in the nonprofit sector, we work with groups like edu-cause to do education awarene awareness, to help organizations teach people how to say stay and more secure online. so listen to us and visit us on our web site to learn more about those things. we always talk about cyber security as fixing the weakest link in every chain. and having a shared responsibility which means we all have things that we need to do to make the internet safer and more security, no matter where we are, whether we're at home just doing e-mail, maybe social networking, doing a little shopping during the
10:30 pm
holiday season or if we're running the largest, most complex networks available. that everybody has some role to play in making their online experience safer and more secure. and so when we're here today talking about multifactor authentication or two-step verification or two-step authentication, whatever you want to call it, it's a really important piece of that puzzle. because it adds a layer of security for all of us to be safer and more secure online and to secure our most critical accounts from hackers. and so we'll talk about this but i'll give you an example. your e-mail account in many ways is the most important account you have, right? if you lose ownership of your e-mail dot a hacker, what happens theálciñ first time som tries to go to a web site you normally use? they ask for your password to be reset. where does that go? to your e-mail. so if you don't own your e-mail and someone else does, you're basically owned across the whole
10:31 pm
internet. so that's why this piece is so important. so when we talk about the shared responsibility and this notion of everybody participating, i'll leave you with this thought before i introduce our first speaker. if you think about the internet as an ego system of all of us connected and everything we do have an impact on each other you'll notice whatever you do to be safer online actually makes the internet more secure for all of us. this is a shared responsibility we all have. now it's my distinct and really privilege to introduce christina dorvier the branch chief cyber security awareness at the u.s. department of homeland security. she is in charge of education awareness, we have worked with christina for four or five years directly on national cyber security awareness month and the stop think connect campaign. she overseas the work force development arena of dhs where
10:32 pm
they're looking to build the cyber security forwork force non the hr side but to look at the cupid of folks that need in that arena as well as training. so we've worked with christina for more years. this is a true partnership between ncsa and dhs. we've worked together to build on each other's strengths to do the work that we do best, each other together and christina has been a true leader. underer will leadership the programs we have worked together have grown enormously and immensely and i think the trajectory is all good. we're going to get bigger and better as time goes on so it's my pleasure to introduce christina dorvier. [ applause ] >> good morning, everyone. thanks for coming out today to talk with us and hear about the work we're doing you'll hear about a lot of different topics in cyber security but i'm here
10:33 pm
to talk specifically about some of the work the department of homeland security is doing in cyber security and specifically the work we're doing to secure that public/private partnership. so i know a lot of people are familiar with dhs, traveling, upcoming for the holiday season, of course, the friendly faces you see at the airport are tsa agents. they work for the department of homeland security, the u.s. coast guard is part of the department of homeland security, fema, federal emergency management agency, the united states secret service and a host of others. however one thing you might not know about dhs and why i'm here today is that we also have a mission in cyber security and one of our main missions is to help protect the dot-gov. so any address that ends in dot-gov. so i believe we as michael said have that share responsibility and that's helping on the government side to make networks
10:34 pm
safe for everybody to use across the country. so a couple stats here. cyber security really does affect us all. as michael mentioned, everyone has a role to play. there's studies that show that smart phones are never more than about three feet away from anyone at any given time. most of you might be familiar this if you're using it as your alarm clock to get up in the morning and it's in your bed more to your suit jacket pocket throughout the day. so it shows how prevalent the internet and our access to information through the networks is in everyday life of the average person. in addition nearly one in five americans has been a victim of cyber crime and there is another stat that shows that the all up enterprise of cyber crime as a business, everything from the small stuff to the very big stuff has surpassed the illegal drug trade in the amount of money it's making annually. if that's not an indicator of where cyber crime has gone and where we're headed, that's a
10:35 pm
quick stat to help show that. and 43% of companies have experienced a data breach in the past year. so we are all of us together both on the private sector side, on the nonprofit organization side and the government side working to help educate people about what they can do to be safer on line to protect their companies, to protect their families and make sure they're having a safe user experience as they navigate the web. so one of the ways we're doing that at dhs, as michael mentioned, in partnership with nsca, is through the stop think connect campaign. so a little background. in 2009 when the president came into office he did a review of everything that was happening across the cyber landscape in the federal government and issued a report called the cyberspace policy review. as part of that report, one of the largest gaps they identified was that there was no education programming to americans on how they can be safe online. so think something similar to like a smokey the bear type campaign but for internet use.
10:36 pm
and so the department of homeland security was charged on the federal side to come up with something that we could do to help educate people and as i mentioned, i believe the department of homeland security is the people's department and we're working hard to protect people across various different systems and ways they operate in their normal day to day life and one is on the internet. so we got together with the national cyber security alliance and its industry partners and jointly developed and came up with the stop think connect campaign. i believe that's an unprecedented effort. for once it wasn't the government saying we know best and we'll move forward and not talk to anybody or other expecters. we have a meaningful partnership with ncsa and industry to help advance this effort. so as part of that, the department in our role specifically works with nonprofit organizations, academic institutions and other government entities including state, local, tribal and
10:37 pm
territorial entities to help spread the message. it's a train the trainer approach if you will. i know i can't speak to everyone across america all the time, neither can michael or anybody in this room but we can seek out trusted partnerships that already exist in communities and ask them to help carry that message to the folks they're talking to already. so as part of that we've established a partner program with dhs for government, nonprofit and academia where they can join with us and have access to messages and material wes use in the stop think connect campaign and we're excited to announce our goal for finishing out 2015 was to reach 250 partners and we did reach that and are surpassing that so we're excited about that opportunity. to work with people across the country. as an example about some of our partners, we have folks ranging from the international association of the chiefs of police to the aarp to the boys and girls club and girl scouts of america. so there's something in there for everyone in all communities
10:38 pm
across the country and we excitingly got our first tribal partner and if you know how the tribes don't typically like to work with the federal government that's a huge accomplishment for us and we're excited about that. another way we're doing outreach specifically to individuals is through our friends campaign and this is an opportunity for individuals like my mom, my dad to receive information directly from the department in partnership with many of the partners we have about timely topics that are relevant to them. so upcoming with the holiday season, perhaps holiday travel, things you should think about, being safe online as you're traveling as well as holiday shopping. during march and april we're putting out information about how you can file your taxes online and tips you should know from the irs. as part of that we have almost 50,000 individuals who have signed up and are getting monthly information from dhs about how to be safe online. if you're interested in getting involves from both the
10:39 pm
organization side or individual, our web site is there, d dhs.gov/stopthinkconnect and check out the resources we have available. as it relates to resources we have available there are all for free and they are designed to be used for a wide array of audiences. as i mentioned, older americans to law enforcement, government, industry, you name it we have something for everyone including teachers and students and parents specifically because while in your day job you might be a cyber security expert, when it comes to talking to your kids about what they're doing online, it's a totally different message than perhaps what you're used to. i'm privileged to be the head switch coach at washington lee high school in arlington and i can tell you the kids are very active online in ways you may not know. i make sure as part of my spiel i pitch that you must talk to your kids. so there's resources available
10:40 pm
for you, again, irrespective of what kind of demographic you can fall into. we have public service announcement quality videos, presentations that you can give if you did a career day, for example, or an information day at your child's school, as well as if you're a government entity and want to talk to your empl employe employees. we have quick tip, tip sheets that are easy to understand about simple things you can do. so our web site is there if you would like to down those materials or learn about other work we're doing so. mentioned the demographics about students, parents, other entities, government entities but we also work with businesses. we do that for a voluntary capacity at dhs. there's no mandate for us to specifically work with businesses but we find working with them allows us for broad situational awareness picture of what's happening across the entire national networks.
10:41 pm
businesses have access to data that cyber criminals are looking for. and especially small businesses. we find small and medium-sized businesses tend to be the largest targets because they don't think they have anything that people might want. if you're a yarn shop, you might not think the cyber criminals want any of your information. but if you're taking people's credit card data, if you're storing personal information with that, you do have something of value to folks. and so we also have found that small businesses may not have the specific resources they need to respond and prepare for cyber threats and as i mentioned their systems tend to be more vulnerable. the person who is their cio, or ciso, chief information officer, chief information security officer are the same people who do the financials and everything in between. so that's a group we wanted to make sure had access to resources and information so that they're able to keep themselves safe. so we have a couple different
10:42 pm
things. one is on our stop think connect web site we worked with the fcc and other small businesses across on the d.c. metro area to put together a small business cyber security planner and if you think of how you install a printer, like a wizard that you go through to install, it's a wizard like that that you can answer questions on and you'll have a customized cyber security plan for your small business, it's basic but gives you quick information about what you should be doing at the bare minimum to help keep your systems, employees, business safe and protected, another big aspect is through the critical cyber information company, we call that c-3 because we have to have an acronym in the government. if you're familiar with the work going on relled to the cyber security framework that the department of commerce put out over a year or so now, this is how the dhs is working to help implement the cyber security framework for businesses. so it's a public/private
10:43 pm
partnership that aims to connect businesses, go vt agencies and academia to dhs and other resources and they have a small business tool kit that you can see what it clun to help businesses be safe and protected as it relates to what they're doing on networks so they have a is separate web pages, dhs.gov or you can get there through our other web site. and lots of great information and resource there is geared specifically towards the private sector and the small and medium-sized business community. overall the department is really working to help try to do what we can and do our part in sharing information and resources, promoting best practices online and how people can be safe, anywhere from students, parents, teachers, older americans, government, law enforcement and industry and we really welcome any kind of input into how we can better be of customer service, how we can be better customer service focused
10:44 pm
programs to ensure the resources we are providing are relevant so there's opportunities to give us feedback. you can visit our web site or the e-mail address is checked by myself and it's not just going into a black hole and three or four other people on my staff. i can assure you, you'll get a response. if you have questions or go through our web site and see something missing or that should be there or you have a resource that might be relevant and want to make sure we're aware, send us a note, get in touch and let us know how we can be of better service to you. with that i'll turn it over. thanks for having me again today. appreciate it. [ applause ] >> thank you, so much, christina. it is a pleasure to see our federal government is doing so much for the public and she is a fantastic representative of that. thank you for taking the time to come out today and all you do for us. my name is kristin judge, i work with the national cyber security alliance and i wanted to first
10:45 pm
show you our thought leadership comes from not only the department of homeland security partners but these great partners on our board so we have a lot of great thinkers working with us everyday to help set the direction that ncsa goes in. i'm the director of the two helps ahead program that we started a year and a half ago in march of 2014 and we have been to 15 cities so far across the country, this is our 15th event and we're excited to be in arlington today. i want to encourage folks to live tweet. i don't mind if you're on your phone as long as you're tweeting about this. i can tell the different. i lususually keep your attentio. if you want to twee tweet #twostepsahead, it helps gain more audiences for your business and be part of the conversation. i want to give people some permission to not understand how to keep themselves safe online yet. if you think about it, we know how to protect our physical world, we've been doing it for a
10:46 pm
long time. i have a big dog, i keep dog toys out front, we cancel mail and newspaper when we're out of town so we've been doing this a lock time. but the internet is new so if you don't know how to keep it locked down and secure that's okay. i want to encourage you to embrace the internet and cyber security helps empower you to use it safely. the internet is a fantastic place, we just need to know a few things to epicoo ourselves safe. we want to teach you how to use two-factor a oor authentificati you can have peace of mind. put that extra layer of protection on key accounts with your e-mail. some research one of our partners did act two-factor awe the authentification showed this. people are concerned about getting hack bud we're not good at using passwords. we'll get into that more later but we're not that great about using good passwords or changing our passwords.
10:47 pm
about 39% of consumers do use two factor so we're getting somewhere compared to three years ago and if you notice the large breaches that have happened over the past couple years even in the main media outlet articles about those breaches they'll say if the company was using two factor authentification the breach may not have happened. so this is an important tool for everyone from personal use all the way into large corporations. at ncsa we made a short video on our web site that you can share to talk to people about what is two-factor authentification and then we'll go into it more in-depth after the video. >> two step, a time-honored dance move that involve, well, two steps. what happens if you don't take that second step in the results can be embarrassing. even painful. using a password alone to protect your online identity and sensitive data is like picking only one dance step. imposter cans trip you up and gain access to your pfinancial
10:48 pm
information. you need the two step, two-step authentification. that goes beyond just a password and incorporates another factor to make sure it's you and not someone with your password. more and more web sites and applications are implementing two-step authentification, also known as log-in approval or multifactor authentification. two-step authentification empowers you to take control of the safety of your online account, it's easy to use, gives your peace of mind and makes your digital life safer and more security. so let's do the two step. come on! stop, think, connect. >> so thaet's talk about the old way of protecting our accounts. we do this everyday, probably 40, 50 times a day. we put in our log-in information. we put in our password and we access our account. but we know there are folks out there stealing our credentials, our log in or password or guessing it through technology they have. so they can go into our account
10:49 pm
looking just like us. so we want to show you what we can do to make it so that the other folks cannot access your account without being kicked out without you knowing. one of the issues we have is our passwords are not that good, like i said earlier. if anyone can let me know why "monkey" is in this list, i would be thrilled to know. i've been to 15 cities, no one can tell me why monkey is in the top 10. we're still using 123456 as our most used password. if there's one thing skik you to do, if any of these passwords are your password, your home work is to go home and make them better. i'll show you how to do that. do you need a huge long strong password for every account you own? probably not. some of the accounts where you go, for example, and there's no credit card data on that account, your address isn't necessarily on it. for example i blog sometimes on a local news media station online. so i go in with my regular name but they don't have any credit
10:50 pm
card information or phone number or critical information so i use an easy password to get into that one but for my banking and other critical passwords like e-mail i use a stronger password. higher, stronger password. let's talk about what it looks like when you're using two-factor ah thepts cation. you put in your log-in and password information still, but then you get a secret code that comes to your phone or e-mail or an app, and only you have that code. and it's time sensitive. it only lasts for one to two minutes, maybe three minutes, depending on the company. so if the bad guy has your password and log-in, but they don't have that code, they can't get into your account. so it's really an easy step. and some people say to me, well, it's going to take me 30 seconds longer every time i want to get into my account. think about the amount of time it would take to clean up your tide if your identity was stolen or to clean up your credit cards and drivers license and change all those things if your account
10:51 pm
was hacked. it's a little bit of insurance and worth taking the time. we're very proud of the partnership we have with the better business bureau. at all 15 of our events across the country, they've been a part of those events. we have a representative here also. we've been working very hard on a small business program over the past six to ten months or so. and we want to encourage everybody to check out the website. bbb.org/the cyber security. there's workshops coming to a location near you soon. and we want to let small businesses know that we've taken this difficult topic and put it into language that you can understand. so we're very proud of that relationship. on our two steps ahead page on our stop, think, connect, you'll notice on the purple sheet that's a resource guide, all of the key websites that we encourage you to visit will be listed on that resource guide. so when you go home, you won't have to remember the ones that i'm sharing with you here. but we have posters you can
10:52 pm
download, a video, a how-to library and links to instructions. what i want to do right now is take you online and show you how simple it is to put two factor authentication on an account. firstly, i'm going to talk about passwords. this is a website where you can go in and test out a password and see how strong it may be. and i want to show you how long it would take the bad guys if they wanted to, to get into your account if you used "password" as your password. one second in a brut force attack. now let's see, they've been talking about not just passwords, but pass phrases. a pass phrase is a sentence -- i like to eat ice cream on sundays. it's pretty easy to remember,
10:53 pm
isn't it? think about if you just did something like if you see s you put in a dollar sign or an e you put in the number 3. and this is something dhu actually even write down. you could write down the sentence, i like to eat ice cream on sundays, and as long as you don't write the word password above it and stick it to your computer, i think you're going to be okay. if you have your sticky note on your computer with your passwords, that's another thing you'll have to fix. if you can have an easy sentence to remember. and then if you're visiting chase bank, you could add a c at the end of it, or eddie bauer to buy clothes, could you put an e at the end of it. you could have a unique password just by adding a different letter at the end. so though is a way to help you get an idea of what a better password looks like. start thinking of it as a pass phrase, not even a passion word and make it long and strong. i'm going to take you on an
10:54 pm
account right now to show you how simple it is to add two-factor authentication. google has a fantastic new security tool now. when you're in your google or gmail account and you click on this area here. you go to my account. i have taken both my parents and my sister and an aunt through though, because it's really fantastic. they have some security checkups in here. highly recommend you go through your google accounts today and do that. it will show you if someone from russia has been trying to access your account. who's been on your account, and you can make sure that they don't get back in there again. so there's a security checkup. and then, excuse me, put it back up here. sign in and security. when you're putting two-factor authentication on almost every account, it's under settings and then security, which makes sense. you go to your settings. you're changing the way you access your account and go to the security part. so here's the security checkup. but then here is two-step
10:55 pm
verification. and right now it's off on brian's account, but i'm going to turn it on. but it's called two-step authentication, two-factor ah them cation. because the internet is so new, we haven't decided all the words yet to agree on. so it may come in a little bit of a different form. so when you get to your account, it tells you a little bit about how to set it up and what it's going to do for you. they make you put your password in, which is a great idea. and they tell you to look at your phone, to add your phone number. and send it a code. and it takes about two to three seconds. the code comes directly to your phone. and this is the first time i'm setting it up. and i'm going to put my code in. and anybody can know this code, because because it's only going to last
10:56 pm
for a minute or two. and some people say, do i have to put that code in every single time i'm sitting at my computer. no, you don't. if you now you're sitting at your computer at your home, in your library, you can say trust this computer for 30 days, and you swroenwon't have to keep lo in with that extra code unless someone comes in from a different device and it will still prompt them. in 30 days you'll have to put it in one more time. but it's worth the time. and i'm going to confirm that i want to have that. and then i want to show you one more specific thing. so it's enabled on high fwomy g account. that took me less than ten seconds if i wasn't talking to you. if you get your mail on your phone, once you put two-factor authentication on your account, you have to put a one-time-specific password in your phone.
10:57 pm
and we have videos about that on our website, and it's on your purple resource guide. so please make sure that you add the app specific password one time to your phone. and if you have to update your ios system on your phone, sometimes you have to put that app specific password in one more time. so it's an extra step the first time if you want to get your mail on your phone. many people have social media. anybody here have a linked in account? it's really our rolodex now, but it's also a place for bad guys to go and fish information about you. they can find out who you know, who you work with and they can send you an e-mail. it's another good place they can also go in there and pose as you if they get into your account and then send malware to your friends. so you don't want to be the one who brings down your friends' computers. they have a how-to on the linked in account, on the linked in web page that's not going to go for me, so it's literally just 12 slides. it says go to privacy settings, put it on, put it your phone number and you're done.
10:58 pm
it literally takes liis tiess t than it did on gmail. another new thing is something that came out last june. and what you can do on here is just put in the name of the website that you want to turn two factor on, and it literally will take you, step by step, with screen shots. number one, you put in your name. number two, you go here. you click on this. and then you check ovlick over and it tells you step by step instructions. anybody can put two-factor account if they go to this website. they have it for over 100 websites. so most of the american public can find whatever they need on there. we also have videos of thousand turn on on our website. so i encourage you to look there. i'm going to pull back i aup he.
10:59 pm
and now i'm going to have michamik michael kaiser to come up. he's brought a video for us. and i'll let her start that when she's ready. thank you so much. [ applause ] thank you, kristin. and, you know, that's why we call this get two steps ahead because it really is just putting yourself ahead of the curve when it comes to being safer and more secure online. so now it's my distinct honor to introduce ms. mcsweeney. she was introduced in 2014 with the ftc and served in intergovernmental relations fort department of justice in the
11:00 pm
anti-trust division. serves as deputy assistant to the president and vice president from 2009 to 2012, serving president obama and vice president biden on policy in a variety of areas, including health care, innovation, intellectual property, energy, education, women's rights, criminal justice, domestic violence. she worked as senator joe biden's deputy chief of staff in the u.s. senate where she managed domestic and economic policy, development and the senate judiciary committee. but let me add one thing about the ftc, we consider it one of our prime partners. one of the first people we reached out to were the ftc. their educational material for consumers and small business are really some of the finest materials that we have out there. when you talk about partnership,
11:01 pm
which i did earlier, they make our job much easier. that's a great partner because of the quality of the materials that they develop for the communities that they serve. so we count on the ftc for a continuous evolution of quality materials for people to stay safe and secure online. so it's my distinct honor and pleasure to welcome commissioner mcsweeney this morning. [ applause ] >> thank you so much. good morning, everybody. thank you, thank you, thank you. thank you for that incredibly kind introduction. i really appreciate it. and thank you, also, for getting this video that i'm going to share queued up here. i really. delighted to join you this morning for this important event. i have to say, again, to underscore what michael said, that partnership here is incredibly valuable to the federal trade commission and its mission to protect consumers.
11:02 pm
we really value our partnership not only with the national security alliance but also with the better business bureau who is a really valuable partner to us in our consumer protection commission. michael gave a shout out to our wonderful materials available right outside the door at a table. so i wanted to thank liza who's here from the ftc who can help you find any materials that you're lacking. i would los direalso direct you website which has a lot of different materials available. i also want to thank christine delohr from my office who's joining me here today. as an ftc commissioner, i have the terrific job, which is i get to go around and take credit for all of the wonderful work that the staff with the federal trade commission does every day protecting consumers and preparing materials for business and education. i will underscore what michael
11:03 pm
said. they are fantastic materials and really provide plain english explanation for some of these complicated issues. so hats off to them for all the terrific work that they do. you know, the two steps ahead campaign is a wonderful way to spread the word about the steps that we can all take to protect our data and privacy online. we are the nation's premiere consumer protection agency. we work across all sectors, in protecting consumers from scams and frauds and increasingly our mission has modernized over time as consumers have moved from a brick and mortar world of consuming to an online and interconnected one. our mission has increasingly evolved to protecting consumers' privacy and data. we've brought more than 100 security and privacy cases over the last decade.
11:04 pm
but equally important to our mission is promoting that education materials, reaching out through better business bureau and through partners to try to make sure that businesses and consumers have the most up to date, effective information at their finger tips, both to protect themselves online and to adopt best practices. a lot of those materials are here today, as i said, but they're also available through our website, ftc dol. they'r and online on guard.gov. they are not copyrighted. we want you to take them, copy them, use them, rerun them, do whatever you want with them. the point is to get the information out there and get into the hands of people who need it. we've also distributed, and this is a campaign that's near and dear to my heart, millions of
11:05 pm
copies of our net cetera guide which gives guidance to parents and caregivers to talk to kids about privacy. i'm a parent of a 5-year-old and 7-year-old who are growing nun this incredibly interconnected world that we live in. we've probably heard this morning already a discussion of some of the risks here. you're probably well aware of them or you wouldn't have shown up to attend this event. but i just want to throw some numbers at you really quickly. i think everybody would probably agree, when i say the risk of data breaches and identity theft looms large, but to underscore that, the ftc has just to date in 2015,
11:06 pm
474,000 complaints. 7% of the population why victims of identity theft in 2014. in 2012, the financial losses from all identity theft and data breach totaled nearly $25 billion. and to put that number in perspective, that total loss of all property crime combined by comparison was just $14 billion. so that's a huge number, and i expect, if we look at more current numbers it might even be larger. so in addition to reaching out to consumers directly, the ftc -- >> pardon the interruption, in a few minutes we will be having a special forum on changing careers in arlington.
11:07 pm
[ laughter ] >> job hunting and changing careers. these include nonprofit and government resources. >> this is great. >> okay. i'm not offended if anybody wants to go to that. [ laughter ] >> but to continue, you know, we recently unveiled our start with security nashtive at the ftc, and we've been on the road with presentations around the country from silicon valley, i was in austin recently. we're moving out in communities all over the country. with new materials geared specifically towards businesses that are trying to do the right thing with security. so i brought a little visual aid. these pamphlets are available today. they're outside on the table. i'm really excited about the
11:08 pm
start with security initiative. because best practices and basically, ten, ten rules, based on enforcement cases that the ftc has brought, it goes through common mistakes that people make in businesses with security. it talks about how to remediate them. it's incredibly plain english, and i think it's a user's manual for doing the right thing to protect consumer data security. so i think it's incredibly helpful. if you don't find the answers that you need in these materials we have more available online as well, and also we have a specifi terrific staff who do respond to inquire eyeie inquiries. so we also have been distributing this information by a video, and i'm going to try to make the video work here.
11:09 pm
let's see. kristin, i think you have set this up, and now i need to -- this is, i'm stalling. technical help. so this is our latest video, which we're debuting today. and it reminds businesses to think critically about how to, about access to data on their systems. >> data is critical to the success of your business. the start with security video series and the resources at business @ftc.gov offer lots of valuable tips. citing who can get their hands on your data. not every employee needs access to everything, especially customer information. one social media company learned this the hard way when it was the subject of an ftc case. the company failed to restrict administrative rights so nearly every employee could access users accounts.
11:10 pm
hackers used credentials to reset passwords and send phony messages from accounts, including from a major news organization and the president-elect of the united states. information controls make a difference. look at your own company. who has administrative privileges? what data can they access? and what can they do with it? tailor access to job responsibilities. in another case, the ftc cited a financial firm for failing to adequately restrict access to consumer's personal information. employees who didn't need this information transferred more than 7,000 files to third parties, and one employee sold surplus hard drivers that contained information about 34,000 customers. helping your company avoid disastrous and preventible
11:11 pm
scenarios. assign access on a need to know basis. and put control on who can use certain databases. >> learn more ways to control access to sensitive data in your business and create a secure environment. >> that's a brand-new video out today on the website. and we have more video and training materials there as well as the materials that are here today at our table. you know, i think the, i just want to underscore that the start with security guide really reminds companies that security isn't a one-time effort but rather an ongoing process that requires continuous evaluation and updating. so if you take nothing else from that material, please take that lesson that's, that security is a daily task, that updating material is absolutely important, understanding your risks, trying to make the best choices possible are really, really vital to securing
11:12 pm
consumer data if you're handling it. for all of our efforts, to try to help make sure that the best practices in security are being deployed out there to protect consumer data, we recognize that there is no such thing as perfect security. that's not the world that we live in today. so one of the things that we've also been updating on the resources available to consumers are resources for consumers that are experiencing problems with identity theft issues. i think it's unfortunate, but i expect that more and more consumers are going to have need of these resources. so over the past year we've been updating all of the material on id theft.gov. so to is a one-stop shop for consumers to learn to protect themselves.
11:13 pm
so i am pleased to announce that we are going to continue to expand and update the resources there. right now the site helps consumers learn to generate an affidavit, learning what steps to take on identity theft, and how to obtain sample letters for business bureaus and debt collectors. but soon we will be unveiling enhancements to allow consumers to register and secure an account and track their progress over time. obtain a plan that walks consumers through each step they need to take. and get customized preprinted letters they can send out. i think will make it easier for those affected by identity theft to assess the damage and rye gain control over their identities. the ftc is going to continue to bring security cases protecting data exposing those who leave the sensitive data exposed.
11:14 pm
that we will take action if the rights of consumers are violated and that we will use all of the tools available to us to try to protect data in our increasingly interconnected world. so i want to conclude by emphasizing one thing in that the ftc alone cannot make security a priority. that's why i'm really grateful for our partnership with bbb and our partnership here today. i think all of us together and your presence here today really underscores that we can take security seriously and protect consumer data. so thank you for your attendance today. thank you for your interest in this topic. and i encourage you to check out our resources at the trade commission. if there's anything we're missing there, reach out to us, let us know what it is, and we'll try to provide it to you. so we want to be a rye source and a partner, and we're excited to move forward in trying to share the mission of protecting consumers. thank you so much for your time.
11:15 pm
[ applause ] >> thank you. if i could ask my panel to please come up and join us here. we're going to have a little panel discussion. let me just take a word as we're doing this to thank our partners here today who've helped bring this on. as we've gone across the country, we've had tremendous support from the local community around the work we've done and google has been a great supporter of ours in bringing this across the country. as we normally do in these events, we like to have some of the local folks come in and talk a little bit about what's going on. and we have a great panel here today. and i'm going to start, and by the way, we also have the opportunity for people to ask questions. we have some note cards. if you want to fill out a question, can you submit it, and we'll get it up here and try to get it answered for you. we have a terrific panel here today. i'm going to let them introduce themselves. so i'm going to start right out
11:16 pm
and say just go right down and just tell us who you are, and an a little bit about what you do, and we'll get into some specifics later. let me note that you misused the -- those work, those are for c-span, but go ahead. >> good morning. i'm kara sidener. i currently serve as the coordinator for the field office's local chapter. it is a non-profit organization, organized by chapters and geographically aligned with fbi field offices to promote two-way information sharing to protect critical infrastructure. >> good morning. my name is ken ball. i'm dean of the school of engineering at george mason university. and as dean of the school, we have eight departments, including the traditional, large engineering discipline such as electrical and computer engineering, mechanical engineering, bioengineering, but
11:17 pm
we also have computer science and information sciences and technology. and just within our school, we have 15 degree programs that are related to cyber security. and across the campus, we have a number of additional programs that are multi-discipline air eye that would pull in business and public policy. and one of our most recent program is a new bachelor of science in cyber security engineering. so we're trying to broader seeker security education to include engineering disciplines, to get into cyber systems and infrastructure. whether that's driverless cars or drones and uavs or the smart grid for electric power distribution, we're trying to take a proactive approach into se cyber security, and i would point out to those who have children considering what to do that right now the average starting salary for a cyber security professional in this
11:18 pm
division is $88,000. and if you have a security clearance on top of that, that can add another $25,000 to $30,000. so a lot of times our graduates are starting out with $100,000 with a great cyber security-related position. and there are 11,000 jobs currently noti lly in the great virginia area. it's expected to grow to 1 million positions. we're glad to work with our sister organizations across the nation to increase cyber security. >> i'm mary power. we started as the vigilance kmiet to root out snake oil sales men. the internet has created a new
11:19 pm
wild west. we rely on the internet for business, there are still snake oil sales men out there. we're here partnering with csa to add resources and knowledge to help you as a consumer protect yourself or you as a small, mid-sized business owner put the right safe guards in place, deal with your staff and make you a trusted business. >> you want to hand it back down here? >> a quick introduction. >> i'm jack bienko. i'm the director of entrepreneurship education. if you're not familiar with the sba, we work on financing and the small business creation. our resource network which is a large network of the university and mentor networks, we work on procurement issues for small businesses and disaster recovery
11:20 pm
and prevention. i know a number of items that have been discussed this morning, happy to see everybody here and a lot of the partners that we work in conjunction with on this area of concern. >> i want to go back to mary for a second. i know that you all at the bbb launched a significant new program. i think commissioner mcsweeney talked about some of the scams out there as did christina from dhs. tell us what you're up to. >> happy to. yes, we just launched scam tracker. it's an interactive tool where consumers can go online at bbb.org scam tracker and self-report on any scam that they think they are a victim of or aware that someone else might be a victim of. it gives real time tracking, what scams are in your area, how fast they're growing. you can put in a search word, irs scam, puppy, anything, and it will give an update or information about the scam, what media that they use, whether it's in person, robocall,
11:21 pm
online, a little bit what the pitch is and some things to be careful of. it also will say what audiences they target, though they change. if there's a senior citizen scam in florida, there's a real time heat map that will show where it's moving and what direction it may be heading and we in the bbb community can warn people and partner with groups, in this characteristic aarp, to warn people. >> you talk about this huge need in the northern virginia, d.c. area for jobs. can you give us more specifics about how you're actually getting young people into this workforce? >> yes, there are several initiatives that we've recently taken. one in particular, we're creating pathway programs through the community colleges and in particular northern virginia community college. and in fact, in our information sciences in technology program,
11:22 pm
more than half of our students conthrou come through that pathway, and by developing strong partnerships that extends by the way down through the k-12 system. we do a lot of outreach. and one unique aspect of the pathway program with the northern virginia community college is we're really reaching out to our veteran population and veterans, for example, can earn an associates of applied science degree and come directly over to george mason and the commonwealth is providing us with over $150,000 in the appropriation to provide specific guidance and advice to those students in the veterans pathway program. we're looking to expand that this year. we're also working with professionals in the area. we're won of six universities that are partnering with the united states army reserve command to create a
11:23 pm
public/private partnership to create cyber professionals. and that would be working professionals that are in the army reserve and to leverage their positions in industry in the area and provide them with additional training to help secure the nation's cyber security needs. so those are just a few of the examples. >> that's great. >> kara tell us a little bit, i'm not sure if everybody knows what info guard is and what the advantages are of being part of that process. >> info guard, two, is a partnership. it's been in existence coming up on 20 years. it was originally started as a very small grassroots effort in one of our smaller field offices in the midwest to really harness the expertise that existed in the private sector as cyber was exploding for the fbi and evolving and changing. so we sought out that expertise to help us get better about the
11:24 pm
threats that we were facing. moving away from kind of the traditional cyber criminal scams that obviously still exist and are still exponentially seen across america, but also seeing that go to nation states targeting our networks and resources and information as well. so as that was really evolving for us, we reached out to those key holders and stakeholders that had expertise in those areas to help us get smarter about those threats. since then, it's grown to an organization that has 40,000 individual members nationwide. so it's a little bit different than some of the fbi's other outreach mechanisms in that it's not specifically for a business or a position within a company but its individuals who volunteer because they're stakeholders in critical infrastructure and they want to protect not only their companies that they work for but themselves as individuals, their families and communities. so by joining, the fbi vets
11:25 pm
those individuals so folks who volunteer to be vetted by the fbi usually have an interest in keeping their communities safe, they're not doing to just for the heck of it. and we allow them, then, access to a secure portal where intelligence products are posted. a lot of the resources that we've heard about here, a lot of joint products with our dfs partners and others to inform consumers but also provide a mechanism for them to tell us things. and a lot of times an at an individual level, the federal threshold for the fbi to open an investigation is not met, whether it's a dollar amount or a statute. so we rely on our partners at ftc, at ic 3, the internet crime complaint center to aggregate a lot of that for us. and, as we see trends across the country, seeing that growth and aggregated data sometimes does rise to the level where we can get involved ourselves, but i
11:26 pm
like to think just hearing today we're extension of the partners that you're already hearing. i'm a cheerleader for the ftc, for the sba, referring our members to those resources as well. >> if someone is interested in becoming part of info guard, how would they go to start that process? >> www.info guard d.com. >> a key thing we've been working ong is a partnership with fbi where we can co-host with them, leveraging their infrastructure and much of their expertise to hold workshops on cyber security around the nation. so we're interested in scaling that, obviously, to more communities around the nation and digitizing it. so we've been working on a special project to upgrade some
11:27 pm
of the online learning that we offer. so we have a great cyber security course, it's sort of a one on one course. and we had over 10,000 people take that free course last year. we're also going to connect the digital dots. we've talked a lot about check lists and other resources that the federal agencies and local partners offer as well. we're doing a rot lot of communicationing. we also talk a loot with our mentors. we have 12 thousand men and women who serve as mentors to small businesses, where they're aspiring or growing across the country, so we're doing a lot more train the trainer information. we're going to do some internal, host internal experts to talk to these business men and women. so whether they're talking in great libraries like we have here in arlington, virginia,
11:28 pm
they can dig in an a little bit deeper, answer more questions quickly or make those referrals to expert organizations like info guard or others throughout the nation. so we're trying to facilitate, educate and inform small businesses, whether they're becoming aware of cyber security or in this huge growth area of small businesses that are in that space and in the d.c., virginia, maryland market, that's obviously a huge growth area. on a lot of fronts it's venture capital opportunities or making business to business relationships or federal procurement opportunities. so that's where we're seeing a lot of this growth within the sba and better connecting with organizations and individuals interested in cyber security. >> so, mary, i want to go back to you, too. i'll let you talk about, you know, an effort that ncsa and the bbb are starting to build to reach small businesses as well. when we think about the small business and cyber security, we know in many ways they're very
11:29 pm
hard to reach and very hard to get focussed on this issue. most small business owners are wearing multiple hats. they literally chief cook and bottle washer in most of these instances. >> you said it best at the start. small and mid-sized business owners are doing so many things, and they realize there's a lot of information out there, but it's almost overwhelming, where do i go for the right resources. so we partnered with ncsa to put together a framework, five steps to help you think about, what's the most important asset that you need to protect and what do you need to do. the thinking behind that is if we can give you the five steps, it can help you and your organization put together a plan, start small and let it grow. the five elements are identify the issue, protect your data, detect problems, respond and then recover. and it's really a circle. because once you get your house in order, if you, a few months
11:30 pm
later, there may be more data, a potential situation, and it doesn't stop. but it gives you confidence that you will have the tools that you need to do what you need to do. and the other part of the program is to provide vetted resources. again, there's so much information out there. you've heard a great deal this morning and there's much more. so what are the trysted resources i can use as a small business person and put in effect quickly and help my staff think about sign you are security, not in i can't do anything, but these are the three, four things that i can do to be a trusted business for my consumers. >> i want to go to kara for a second. you know, you sort of mentioned that people get information. what kind of information do they get and how does that go back and forth and how do people use it. >> there are a couple different methods. members get access to the secure portal which i talked about, which is, yes, another place
11:31 pm
that you have to log-in and remember a password, but we like to think of it as another resource for people. joint intelligence products, public service announcements, private industry notifications, those are a couple of the different types of products posted there. it's into the just fbi but dhs, ftc, sba, nest, we like to, you know, get as much information to our members as we can. oftentimes, some of the more technical information that we put out called a flash report and a fbi liaison report will provide indicators that companies can use to plug in to their networks and systems. doesn't have attribution of those things, but it has enough information for folks to plug holes, if you will, to better be able to protect themselves against the threats. and each fbi field office has a special info guard coordinator that is a liaison to their local chapter, so a local chapter has a person as opposed to calling a
11:32 pm
switchboard that they can get in touch with. and if it's cyber related, most of our info guard coordinators sit on cyber squads in those field offices. we can get new touch with the experts who can talk about the threats you're seeing or if you've an incident and you don't know what to do about it, especially if you are the chief cook and bottle washer and don't have enough resources to figure out what's going on. i will get you in touch and my colleagues will get you in touch with the agents and analysts in that field office that can help you with that issue. and even if it's not cyber related, you know, it still puts a face to a person and a fbi field office which oftentimes just calling a switchboard and not knowing exactly who you're talking to, you know, is daunting enough in and of itself. so it's a trusted partnership. the info guard coordinator becomes a trusted partner with those partners. and we have information to share and us to share it back with
11:33 pm
them. >> if you have a question, write it down on a card and kristin here will pick them up. you can move them to the side here and we'll try and get them answered. thank you for that. kenneth, i want to go back to you for a second. in october, national cyber security awareness month, released data on millennials. one thing is that young people didn't actually know what a cyber security professional does. right? they'd kind of heard about it. and when you ask them, are they interested in a career in cyber security you get a pretty good response, i think. when you ask them are you interested in a career protecting the internet, the response goes up dramatically. they understand that in plain language an a little better. but one of the things they said to us, two things. first, that nobody had talked to them about cyber security careers in high school. no teacher or guidance
11:34 pm
counselor, and two, they didn't know what a cyber security career was. can you talk about how maybe we can bridge that gap a little bit and figure out how to get some communication to younger folks about how to get engaged in these careers? >> certainly, we're doing a number of things. and, as i mentioned a short while ago in my introduction, we do a lot of k-12 outreach. for example, we're working with the governor's schools in the area, and frankly all the high schools, and our faculty and staff go out and give presentations and sponsor different student clubs that are going on. you know, one example would be even with the first robotics competitions and the things that are focussed on roboticing, but roboticing is a short step away from autonomous systems, which gets you into cyber. one of the things we're doing is
11:35 pm
working with the community, working with the corporate community, with industry, federal agencies, economic development groups, the northern virginia technology council. there are thousands and thousands of people who live and work in the northern virginia area who touch upon those groups and can also go out and spread the word about what we're doing. our most recent program that i mentioned, our batch loor of science in cyber security engineering, we specifically developed that in partnership with industry to find out what their needs are. we worked with northrup grummond. and we're making sure that our programs are relevant. they're multi-disciplinary. today cyber security touches all aspects of business, and for example, it could be in the health care industry or driverless cars and drones and
11:36 pm
uavs, and that soort of thing. so the high school millennial generation, they're all aware of these things, they all have their smartphones, so it's really for us to reach out and show them just how broad cyber security is, and it is truly multi disciplinary. and in some ways we can exploit every cyber incident that occurs. we talking just before the meeting about the hello barbie. and now you have barbie dolls that are wi-fi connected and home appliances, refrigerators and things like that that are on the wi-fi. and every time that's out in the news, then that's an opportunity for us to show how young people can have very fulfilling professions in this area. and, as i mentioned with the parents, just letting them know that your child could go out there and have a very good paying job and they're going to be in demand for 20, 30 years, that helps a lot, too. so when we go to high schools we
11:37 pm
also reach out to the parents to try to show them that their children can have very good opportunities in this area. >> so a cyber challenge is very important part of this. maybe can you explain what a cyber challenge is and some other research we did with e-set in october showed that only about a fifth, i think it was 20% or 25% of parents even knew had heard anything about these. can you talk about cyber challenges and the role they play into getting kids in the space? >> that's one way to get kids interested in cyber careers, especially once they come to the university. they, you always want to be sure that they stay in the program and retention becomes an issue. so the co-curricular and extracurricular learning opportunities are very important. things like hack-a-thons. there are national competitions, every university in the nation,
11:38 pm
that has cyber programs will have these opportunities and to push that down to the high school level is very important, and that's beginning to happen. a lot of our schools, there's a high school club that does hack-had-thons, and so all these programs are very important, and we hold, for example, career fairs. we go out to the high schools and try to also use our current students to go back to their high schools and to engage with their student clubs to be sure that students haare having thes opportunities to see that three can have a lot of fun with it as well. saernly, if the programs aren't interesting we won't succeed in getting students to come into them. the students really, just at george mason alone there's problem lay dozably a dozen gron
11:39 pm
join. >> go ahead, please. >> the other thing is to get families interested in sign irsecurity. y if we use tools to control the batted part, internet is a huge value to all of us. it's getting the students involved but the whole familiar limit you really don't want one person in your family being the expert. you want to raise the level of comfort so people start thinking about i'm going to use the internet and these tools. i need to think about how i can do it the right way, the smart way and not be afraid of it. so it's really an education, starts with the students but really it's the whole family. >> we think sicyber security hes you do more. we talk a little about how you're supporting them or how they should be supported or what they need to make them successful? i think we will see every single
11:40 pm
business in this country is going to need some form of cyber security. it's all throughout the ecosystem. how are you going to support these folks? >> first, i'm feeling better as a parent. i often drag my 4 year old to a hack-a-thon. so young samuel's getting early exposure to that. he's attending, but we talk about this in our house a little bit more in terms of he's got a lot of digital devices. he watches us. and as a 4-year-old will he counsel his father. so on the other hand we're fearful of how we're going to address these things as we move into this advanced digital age. but back to your question, we often talk about small businesses don't know what they
11:41 pm
don't know. so drawing them in to talk about a lot of business topics is sometimes a challenge. so it behooves us to work in partnership, make sure that while we counsel people about marketing we expose people to a semi comfortable setting. now it's definitely probably the new norm where it's sort of built in to your standard business plan or these advanced formats for, as people talk about how they're going to set up either their app, their business or their potential unicorn. so it's sort of baked in now. and i think we're doing a pretty good job. it's heightened, for a lot of main street businesses, you may have talked about this durk the holiday sales season, there's a lot of sales opportunities, people are going more online. how do we communicate with people to pay attention to seeker security.
11:42 pm
we've been talking about the chips in credit cards and how small businesses need to pay attention to those, how the card readers and the standards and requirements are going to revolve 30 day periods as the credit card industry pays more attention to this. we often talk about food trucks in a lot of cities across the nation. they're probably not starting that food truck thinking about seeker security right off the bat. but we just launched a cyber security vandalism tool kit. we see a lot of cyber hacks in social media channels. so whether somebody hacks into that social media channel and that's interconnected with your e-commerce or web platforms but also how somebody can communicate on your behalf. so a big vulnerability we thought there, and we partnered with the general services administration to launch a cyber
11:43 pm
vandalism tool kit. as folks go into the cloud and mobile computing, we find that's a huge area of concern. small businesses are talking a lot about it as they have been for the last couple of years, but now the extra layer of cyber security. the staff training, a lot of folks have talked about main street, and companies are talking about how they train their small business employees to lock the back door. how do you lock the back door of your website or your partner organization, digital vulnerables. so that's a huge area. insurance objections. peop you have flood insurance, what type of insurance can you have for seekercyberattacks. we have incubators that are
11:44 pm
focussing on cyber security firms. there's a number of award-winning firms, that the white house has honored and other organizations have for small businesses that have a deep expertise in this area and are either working with small businesses or a lot of corporate america. the press has covered a number of corporate hacks, so corporate america's paying a lot of attention to their supply chains, which gets into the small business community as well. those are just a range of topics that we're talking to small businesses about and trying to do a better job of connecting them to the right resource in their community, as a lot of things, all politics are local. when we have people talking about security issues, much of that is local >> i'll throw this out to all of you. our experience has been they're the hardest group to get their attention, right? they're very limited bandwidth.
11:45 pm
so any good ideas for reaching these folks, the right kind of messages to send them or info guard is working with them across the country, and bbb is basically local across the country, everywhere you go. so thoughts about how we engage them in a way that's productive. i think sometimes these small businesses, you know, maybe overwhelmed by the amount of information that's out there. so approaches, ways that we can do that better? >> if you're not familiar with them, score, which is a large national mentor network. small business development centers and women business centers. these are natural hubs. so if you're trying to reach out to businesses or provide training opportunity, whether it's a flyer or workshop, those are excellent resources to access small business communities. >> info guard membership is free. and it's, as i said, an easy
11:46 pm
conduit to go directly to your fbi field office where we will give briefings about those threats to small and nemedium businesses. the info guard program does a lot for interest-driven areas. there's a lot of cyber topics, driven largely by your demographic and what your membership is, but we do a lot of cyber topics. so those programs allow those folks who might not be able to, the smaller and mid-sized companies that might not be able to get those resources elsewhere to come to info guard and have access to the fbi where we can share the threats that we see and how they're targeted, what the big scams are and give those resources. >> from the university perspective, universities are a resource in their communities for the surrounding business
11:47 pm
communities. i know all the universities in this region and also throughout the commonwealth of virginia do provide services for small companies. for example, george mason university, we do have a network of small business development centers and the mason enterprise center, and the school of business for example is very proactive in helping small business and providing advice on cyber security is very important. but i'd also add that as you noted, there's a great need, and we need to do more, and a lot of small businesses don't get into it until they have a problem. and i do know that under governor mckol la is making a plan to make a large investment in cyber security. the budget will be announced december 1477th.
11:48 pm
they've already had a series of small press releases. at george mason university, in the governor's budget, there will be an additional $400,000 to provide more training for cyber programs in the community. and some of that will go to beef up the veterans pathways program that i talked about earlier. there's also going to be seg investments in things like cyber ranges that will work, pull all the universities together with industry throughout virginia to provide more opportunities to provide training for cyber security that will then benefit the business community both large and small. >> can you tell people what a cyber range is? that might not be common knowledge to folking. >> so cyber range would be basically, it will mimic the larger internet. the internet of things, and networks and storage and computers. so it's meant to imitate the larger internet but in a controlled way. and then you, for example you
11:49 pm
can have teams to try to hack in and defend it and you don't have to do did on the larger internet in case things go wrong. you can control it. >> you're right. small business owners are so busy that the message needs to be told many different ways and have linkage. one of the things that we're doing to get people's attention is right now we're talking about holiday scams. you as a consumer may be looking at the holiday scam list, but also as an employee and small business owner are hearing the same thing. so we try to divide our messages, one consumer focussed and one business focussed, and there's lynn gainkage. make it easy, one step, two step, three step, i can do this. i can get it. it's not going to take all my time, but it's going to protect
11:50 pm
my family, my employees, my business and customers. >> you raise the holiday scams, and it's the holiday season. are there some that people should specifically be paying attention to right now? >> absolutely. most scamming are imposter scams. be very careful if you receive an e card and it does not say who it is from or ask you to give personal information to open the card or has a special link. a lot of the scams are, or it's a fake shipping announcement. we've tried to deliver a package to you. please click this link to find out. if it doesn't say who the package is from, don't click the link. there's lots of sneaky ways that they try to get malware loaded during the holiday season, and of course the family scam, often called the grand parent scam where in this holiday time of lots of travel i've been stranded. grandma and grandpa, please e-mail me money, i'm in the hospital, i'm very ill.
11:51 pm
please do not send any money until you talk to a family member. and the big scam too are these odd ones that look like you got a great deal. it's a special sale. check now, but it asks for payment, either wire transfer or prepaid debit card which can't be traced. and once it's sent it's gone. lots of red flags out there. but if you take a moment, i think most of the scams row lion an emotional response. if you take a moment and say wait, if the bad guy's out there, what are they trying to get me to do. stop and think before you connect. you can have a very happy holiday. >> let me ask a follow-up on that, too. one of the things we looked at was the number of people who drop off shopping carts because they're concerned about the a personal information that's being collected or they're trusting kind of their, you know, their gut about, you know, what's going on. any advice for businesses when
11:52 pm
the they're communicating with their customers about completing a transaction? >> wul, look for https, s stands for secure and has a lock sign. that means you're protected. as a business, recommend they pay by credit card so you have support in trying to collect if it has been fraudulently obtained. and most businesses will not encourage you to pay by wire transfer or prepaid debit card. the more business can do to show that they are working to protect your information and give those tips or promote that they're working through paypal, give the customer another reason to cope goi -- keep going. make sure that your privacy policy is posted. people are starting to be a little more savvy and looking for billboards that say you're safe. they may not get down to your postcard, but they're looking for a billboard to say this is a good company, i can use them and trust them.
11:53 pm
>> i think consumers are looking for the road signs then selves. it's not just the business being secure but how they exfres that out to everyone as well. any one else on the topic? >> i would continue to validate the business e-mail compromise is probably one of the top things we still see. so it doesn't matter the size of the business, small, medium or large, if they engage in wire transfers or have a lot of foreign partners, that's a huge vulnerability where we see a lot of cases come out of. >> i would just follow up that it's definitely a concern this season, but i would look at january or february also from a small business perspective to also have those inward-facing discussions on staff training but your banker or your other supply chain partners, talking about their vulnerabilities, their experiences and their cyber protections. it's a very hectic season for small businesses. you want to be as diligent as
11:54 pm
pochblt but i'd also think about january and february if you're an entrepreneur, talking to other folks. so many small businesses have multiple interdependencies, and not everything is in your immediate span of control. it might also prompt whether you need to look at a different service provider or solution for some of these, but you want to start id kating yourself and having those discussions like you would with any of your business partners but now cyber security is a must discussion that you must have maybe early notice year. >> have you encouraging new year's resolutions? >> absolutely. cyber security fitness. >> can you give us till january 3rd to start? get through the holiday season. we just have a few more minutes. we do have a question way in the back. maybe we could, you can shout it out, and i'll repeat it. >> first, i'd like to thank you for this excellent program. >> you're welcome.
11:55 pm
>> i mean, your superb speakers, and i feel like you guys are the reason america is still on top. but, i have a question, personal questions. i have some ideas for selling stuff on a website. and i use search engines to see if somebody already has those. and i'm just wondering if when i do that am i safe? is somebody scrutinizing the search engines and they see something and they can grab it. and register it before me? is there a way to protect myself when i, you know, and i search like g mail or something something. so if you also want to have a connected, you know, e-mail or something? with the same name? who's watching that? who, how do i know that somebody
11:56 pm
can't register it themselves right away and cut me out? >> so the question is, really about the gentleman here is trying to look for things to sell online, trying to be creative, have some intellectual i think pursuits around naming some things and there's a way to protect that effort's undergoes and makes sure that no one tries to steal his ideas as he's sort of free associating them into the internet, is that a good way to explain it? >> the general response that we are being tracked to some extent on the internet when you're using search engine, free e-mail solutions and conducting market research or looking for branding opportunities, so it is something to be aware of. i, i have not heard many cases of people doing a general search and then finding it as though somebody's tracking it immediately and snatching up a url or a product name.
11:57 pm
there are millions and billions of these searches going on every day, so i don't think they're being snatched up. that doesn't guarantee, though, if you do a search today that url or product name won't be taken somewhere else. people are gobble being up these websites and product names every day. so search, search, and search. there's a lot of great small business tools that will give you alternatives if something isn't currently available on that front. and if you get to a point where you're going to copy right or patent something we have a lot of solutions at the local level and also at the federal level at the uspto of some tips on what might be to claim a right to a name or website. any other tips as they're trying to protect their intellectual property as they're conducting searches? >> i agree with all that, but i would add one more thing. maybe the obvious thing.
11:58 pm
something really, really hot that you think is going to be something to really take off, limit how much you get that out there. we, at the universities, with our research, we deal with intellectual property all the time and have lots of disclosures and through the patent process mostly, and the best advice is, until you're really ready to move quickly on it hold it back, because once it's out there, somebody can grab it. hold back as much as you can until you figure it out. >> i would add one thing here. if you find a domain name, because that sounsd like what you were searching for, if you find one, that's available that you like, go get it, because in this world, a lot of people have good ideas, and as unique as you may think your idea is, other people may be thinking about the same thing. so a lot of us hold many different domains that are associated with things that we do. either as a protection so other people can't spoof us or make that happen or because we just have a great idea and we don't
11:59 pm
know if it will ever make it into reality, but we want to just hold it, because who knows, we might have the next big thing, right? any other questions from the audience? a couple down here. we'll try to get a couple in. our card system did not work all that well today. so speak up. >> by show of hands from the four panelists, how many of your companies, agencies or departments have been hacked or compromised in the last three to five years? >> three to five years is forever. >> and what have you done to protect the people who have been compromised or hacked. the outsiders or the employees. what is your first one or two processes? do you notify them? do you do some cleaning through internal government agency? how do you deal with that? >> i guess i'll start, since i'm holding the mic. mason's had intrusions.
12:00 am
i think every university in the united states like a lot of big companies, people are constantly trying to hack into the networks and do malicious things. and so we have a large staff that handles our cyber security. k about earlier, things like that. even beyond the university itself, for example, our benefits are through anthem and anthem was hacked, and we have a lot of people who do classified research, for example, and the government clearance process, that was hacked into, and so a lot of times i, for example, have four different free monitoring for identity theft with different groups for the next two or three years because of these different things. so whether it's target or the federal government or health benefits, this happens all the time. so, the general advice everybody has given is what to follow, especially the higher levels of authentication when you get on the internet and doing
12:01 am
somethings online, very important. >> the bbb name is known and trusted so people -- i phishing stams and i brought my security officer here to talk about it. the most important thing is as soon as we know something is going on, let people know. there's a phishing scam and get the word out to our bbbs right away. if someone has done something, if they have accidentally downloaded some malware, the worst that is that they are afraid to tell you because the longer that sits, the more your company is in danger. so, we have a policy, if anybody suspects anything, if anythings happened, let us know right away. we're going to act on it and try to protect as many people as we can because one of the worst things any company can do is have an employee that inadvertent live downloaded something or knows there's a problem and sits on it too long because it won't go away, it just gets worse.
12:02 am
>> just looking at this from a little bit different of a perspective, a lot of times my colleagues will come to me to say, do we have a member at a company because they have to do a victim notification. so they're telling the company, you have a problem, and so for us, developing that trust with those members is key, because it enables a much better interaction with us going out to a company and saying, we have some bad news. so, having that two-way trust is vital to the work we do not that arena. also, the fbi has become more forward-leaning in reaching out to industries that are targeted and have been targeted. they've made a concerted effort from the headquarters level within our cyber division to reach out to the healthcare industry, for example, also to bulk holds over pii, especially related to government pii, and in doing so, kind of being more
12:03 am
pro-active, often times as the result, as a large breach, but going out there and saying, these are some of the thing that we have seen, best practices, after action almost if you will to hopefully get a little bit in front of that for the next time. >> federal employee information was breached through the office of personnel management so i think it's fairly well documented. if anybody wants to read that, on multiple web sites or opm.gov they're a case study but as a staffer or custom over opm, communicated often and frequently with me, sending mall information so it got to my home address of record, internal communications on cyber hygiene, a lot of q & a sessions at my agency and opm. so if you have a question that wasn't resolved on the faf documents or other mechanisms for education, we could ask that and then a lot of standard
12:04 am
responses in terms of monitoring systems, tips, and information. so, i felt fairly confident given the circumstances, as an individual my next couple of steps in terms of figuring out my personal vulnerability, if there were breaches, moneys withdrawn, from my bank account or other access points which my pii sort of provided these hackers. so sort of an ongoing issue as a federal employee. i'm more diligent at the personal level, at our agency level there's a lot of communications, we're communicating in multiple avenues, whether it's fliers, quizzes, discussions, as i mentioned, so that was a lot of the response i saw in individual federal employee, but you can read this information and a lot of great case studies out there. >> this is a true confession. i think three octobers ago our web site was compromised. we're not sure if it was a
12:05 am
malicious hack. we don't know that for sure. but what we did know -- did come to find out -- we don't collect personal information can mostly just an information giver. we don't engage in business transactions with people or purchases or sales. actually, our former web developer was using an open source system and there were some patches that were available they did not put in because they liked the way the old version worked better than the new version, which had some security features which they had not knowingly told us they weren't going to update our software for our web site, and that led to a vulnerability that was actually across the whole web that this particular open source system had that hackers were using, and they used our web site to direct people to malware and other kinds of things. so we dade notification, we posted a blog about what happened on our web site, and let people know that if they had any issues, they should change
12:06 am
passwords and do other things. so it's not always about data. sometime if you're a business-it could be your web site being hacked or compromised, could be used for other purposes could be used to redirect people to places they don't want to go. so it can happen in a lot of different ways. i think the important piece here, i think, is we're getting better at telling people when this happens inch the old days -- in the old days, you got a breach, the first thing is, don't tell people. now you're like, tell people. so that's a good change. we still have hacks and have to work on that. we have another question right here. man this will be the last one and then we'll have closing remarks. >> i was just wondering hough often you see accounts of two step authentication being compromised. >> i don't -- probably no one here -- unless you do from the education --
12:07 am
>> i'm not aware -- since we have gone to the two factor we haven't had any problem with people's accounts being compromised. that was the requirement for strong passwords and sending something out through your phone that is on record and that sort of thing has really worked very well. so i think that's a really important thing to do. once you do that you still have the other vulnerabilities that were just talked about, at least in our experience at the university, that's where you continue to have problems. >> i tell you, if we had the super-duper cyber security researchers, some would say that two-factor can be hacked because there's no such thing as perfect security. let's remember that. someone said that earlier. in the current world, right, you have people who are using two factor and people that aren't, and let's just say the bad guys are opportunistic and going to go to the lowest hanging fruit. if i have a million compromised
12:08 am
accounts and 800,000 of them i already have their log-in and password and the other 200,000 have multifactor awe then tick indication on them -- authentication guess which ones i'm going to first. that's the kind of environment we're in right now. but as time goes on, i'm sure there will be efforts be the bad guys to break into what we put in place and we have to keep increasing the able to make the systems more secure. so, with that said, whatnot to run down -- anybody have in the last thoughts or remind people of a resource that might be helpful to them? and just start from that end and work towards here. >> well, thank you for letting us be here and thank you for joining us. this is a really torrent topic and we can't talk about it enough. it's not going away and it's growing. i think we're taking baby steps to take on a challenge. the web site i'm most proud of is bbb.org because we partner with the folks here. we share information with the
12:09 am
ftc and the reports and the scams recorded, we make sure no permanent information is available -- personal information is available0. if you have been scammed, people are embarrassed, nothing about you will come out. just about the scam, and we share a lot of our data. so, a lot of these -- all the web sites and the forces here are often linked, which is good, and i would do a little plug that though beer talking about cyber and -- we're talking about cyber and the internet, there's great materials out front so terrible an old fashioned copy and read it, the the same information is online. there's great resources from everybody here. >> in closing i would just say, if you're interested in learning more before the the educational programs we're doing, our web site, gmu.edu has links that will lead you to a lot of what we're doing in cyber security. the one thing i didn't mention is, as a research university, we
12:10 am
do have the experts that do research, some of them are sitting out in the audience right now. and we are also trying to really do the research work with the industry and the federal government to stay one step ahead or maybe two steps ahead, and -- >> five steps ahead. >> five steps ahead. and we are really doing very creative work and getting a lot of support from our partners and the universities are work egg together as well -- working together as well. just as an example -- this is rapidly changing and brand new, and five years ago, there weren't vary men cyber security programs. now there are hundreds and in five more years there will be more than that. so we're also working with different groups to set standards, common outcomes for programs and that way we can go in and continue to improve and accreditation. so it's a rapidly changing area,
12:11 am
one with great opportunity, and again as a university educator, we strongly encourage young people to consider that as a career opportunity. >> i, too, would encourage you to look into -- as a potential venue to find more resources available to you as well as echo my colleagues' statements. you'll see a lot of links to each other, so we try to afford you the most opportunities to get the information to help you protect yourself. >> and reminder, sba.gov sba gov gov, punch in your zip code to find a local resource or take the digital tools that all of us provide. if you have something you like from a small business perspective and you don't see it on our web site, feel free to e-mail me, jack@sba.gov. happy to provide it to our team. we're always looking for material that fits best for small business owners. if you have something you're a big fan of-send me a note and
12:12 am
we'll process it. go to our web site and find a local workshop at a library, university, better business bureau or a federal outlet. >> so let's gave big hand to the panel. [applause] >> as always a very lively conversation, really great experts up here. i want to thank our partners today that made this possible. the bbb, google, george mason, being here at the arlington public library has been a great honor today to do that. i want to thank all of you for coming and just please take the time to just do one or two things to make yourself a little safer online and remember you'll make the internet better for all of us. so have a great day, and thanks again. [applause] copy today at
12:13 am
12:14 am
12:15 am
c-span.org/landmarkcases. house homeland security committee chair congressman michael mccaul talks about the state of homeland security. he spoke last week at the national defense university here in washington, d.c. >> good afternoon and welcome. it's wonderful to be back at the national war college. it's such a prized institution and important part of our nation's history. it's a privilege tojo

9 Views

info Stream Only

Uploaded by TV Archive on